Compliance
At AmericanEMR, safeguarding your data is our priority. We understand its significance to your business, and we're committed to ensuring its protection. With Google Cloud Database, you can rest assured that security and control over your sensitive data remain uncompromised. Transparency is key to building trust, and we're transparent about our shared responsibility in safeguarding and managing your data in the cloud. Trust us to keep your data secure while you focus on what matters most—your patients.
HIPAA USA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes data privacy and security requirements for organizations that are charged with safeguarding individuals' protected health information (PHI). These organizations meet the definition of “covered entities” or “business associates” under HIPAA. We are proud to let you know that all of our Cloud Database and Servers are HIPAA compliant. Additional HIPAA resources: HHS.gov: Health Information Privacy USDM Life Sciences GLOBAL USDM Life Sciences performed an independent assessment that included the design, development, testing, qualification, and maintenance methodologies of Google Cloud. USDM’s vendor assessment covered Google Cloud’s quality system framework, software development methodology, software qualification processes and artifacts, configuration management, documentation, records management, security, training, and education. The audit results are compiled into a comprehensive Google Cloud Vendor Assurance Report that summarizes the audit, cites all source material reviewed during the audit activities, and links to publicly available content. If you are interested in a copy of the USDM’s Vendor Assurance Report for Google Cloud, fill out this form to request a copy. You can leverage the assessment as documentation of Google Cloud’'s meeting appropriateness and sufficiency for safety and effectiveness of its intended use. For additional questions, please email USDM for more information: [email protected]. |
CSA GLOBAL The Cloud Security Alliance is a non-profit organization whose mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” The CSA’s Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a Cloud Service Provider through a three-step program of self-assessment, third-party audit, and continuous monitoring. Google Cloud has achieved the third-party assessment-based certification (CSA STAR Level 2: Attestation) for Google Cloud and Google Workspace, resulting in a CSA Star SOC2+ report. Additionally Google Cloud has achieved the CSA Star Level 2: Certification for Google Cloud services hosted in the Dammam, Saudi Arabia data center, resulting in a CSA Star ISO certificate. HITRUST CSF® GLOBAL The HITRUST CSF is an industry-agnostic certifiable framework for regulatory compliance and risk management. This framework, developed by the not-for-profit organization HITRUST, contains a set of prescriptive controls that relate to the organizational processes and technical controls for processing, storing, and transmitting sensitive data. Google Workspace and Google Cloud have achieved HITRUST CSF certification. A Shared Responsibility Matrix developed jointly by Google and HITRUST is available as a free download. |
International Compliance
PHIPA CANADA Healthcare data is protected by a number of privacy laws and regulations in Canada. In addition to the federal laws, Canadian provinces maintain their own privacy laws. In the province of Ontario, Canada, the Personal Health Information Protection Act (PHIPA) establishes general principles for the collection, use, and disclosure of personal health information (PHI). The legislation outlines comprehensive information practices for handling PHI including security, retention, and access. While Google Cloud customers are responsible for their own due diligence we have developed a whitepaper that describes how Google Cloud leverages state-of-the-art data privacy and security capabilities to store, process, maintain, and secure customer data. Class C license (KSA) SAUDI ARABIA The Communications, Space and Technology Commission (CST) in the Kingdom of Saudi Arabia has granted a Class C License to Google Cloud in the Dammam region - enabling Google Cloud to provide services within the region. The qualification is based on an assessment by the National Cybersecurity Authority (NCA) against the NCA’s Essential Cybersecurity Controls (ECC) and the Cloud Cybersecurity Controls (CCC). The ECC sets the minimum cybersecurity requirements for organizations that are within its scope, while the CCC is an extension to the ECC with the goal of minimizing cybersecurity risks of Cloud Service Providers and Cloud Services Tenants. Customers can find Google’s license on the CST website. PDPA TAIWAN The Personal Data Protection Act (PDPA) and related Enforcement Rules of the Personal Data Protection Act (the “Enforcement Rules”) govern data protection in Taiwan. They place obligations on entities that collect, use, process, and disclose personal data and grant certain rights to data subjects. Google is committed to helping our customers meet their obligations under the PDPA by offering convenient tools and building strong privacy and security protections into our services and contracts. We have published a whitepaper describing how Google Cloud implements data privacy and security capabilities to help our customers comply with the PDPA. PDPA PHILIPPINES The Philippines Data Privacy Act of 2012 (PDPA) (also known as Republic Act No. 10173) took effect on 8 September 2012 and along with the final implementing rules and regulations (IRR), is the comprehensive law governing data privacy in the Philippines. It sets forth obligations for both data controllers and data processors and extends certain rights to data subjects. The law also endowed a National Privacy Commission (NPC), responsible for enforcing and overseeing the law, with rulemaking power. MeitY INDIA The Ministry of Electronics and Information Technology (MeitY) provides requirements and guidelines for Cloud Service Providers (CSPs) to empanel (register) their services with the Government of India. Once empaneled, CSPs are permitted to do business as per the Guidelines for Procurement of Cloud Services. The empanelment process detailed by MeitY dictates a set of mandatory categories of services to be offered by CSPs, as well as additional optional services. The services in scope for this empanelment are the Google Cloud Platform services offered from the Mumbai Region Data Center (asia-south1) and Delhi Region Data Center (asia-south2). An independent auditor appointed by the Government of India - the Standardisation Testing and Quality Certification (STQC) Directorate, an attached office of the Ministry of Electronics and Information Technology, performed an audit and issued a report to MeitY confirming our conformance with their requirements. Based on the evaluation, MeitY issued a letter confirming our empanelment for Google Platform Services. PDPA Malaysia The Personal Data Protection Act 2010 (PDPA) was passed by the Malaysian Parliament on 2 June, 2010 and came into force on 15 November, 2013. It governs the collection, use, and disclosure of personal data and requires certain entities to register their processing activities. It also grants rights to data subjects, including rights to access, correction, consent withdrawal, and objection to certain types of processing. Google is committed to helping our customers meet their obligations under the PDPA by offering convenient tools and building strong privacy and security protections into our services and contracts. We have published a whitepaper describing how Google Cloud implements data privacy and security capabilities to help our customers comply with the PDPA. PDPA Taiwan The Personal Data Protection Act (PDPA) and related Enforcement Rules of the Personal Data Protection Act (the “Enforcement Rules”) govern data protection in Taiwan. They place obligations on entities that collect, use, process, and disclose personal data and grant certain rights to data subjects. Google is committed to helping our customers meet their obligations under the PDPA by offering convenient tools and building strong privacy and security protections into our services and contracts. We have published a whitepaper describing how Google Cloud implements data privacy and security capabilities to help our customers comply with the PDPA. PDPA Singapore The Personal Data Protection Act 2012 (PDPA) is a data protection law administered and enforced by the Personal Data Protection Commission (PDPC). Singapore’s PDPA governs the collection, use, disclosure, and care of personal data as described in the quick guide to the PDPA. At the center of the PDPA are the data protection obligations including consent, purpose limitation, notification, access and correction, accuracy, protection, retention, transfer, and openness. We have created a whitepaper intended to help our customers understand the PDPA and how Google Cloud implements data privacy and security capabilities to store, process, maintain, and secure customer data in a way that aids customers in meeting their PDPA obligations. |
NHS (UK) UNITED KINGDOM The United Kingdom’s National Health Service (NHS) Department of Health and Social Care Information Center policy mandates that all organizations that process NHS patient data and systems must provide assurances that they are practising good data security and that personal information is handled correctly. NHS Digital, a national public body in England, has developed the Data Security and Protection Toolkit (DSP Toolkit), an online self-assessment tool that allows organizations to assess themselves or be assessed against information governance policies and standards. Google Workspace is also accredited as a secure email service for health and social care in the UK and includes where email is used for the sharing of patient identifiable data. National Information Assurance QATAR Qatar National Cyber Security Agency’s (NCSA) approved National Information Assurance (NIA) policy is a comprehensive framework based on the best practices of leading organizations and international standards. It is designed to guide organizations in implementing effective information security controls. The NIA policy assists organizations in protecting their information assets, managing risks, complying with regulations, and achieving international standard certifications. NCSA requires a third-party assessment of any organization interested in being certified against the NIA policy. The robust certification process requires that a third party assess a cloud provider's security controls and compliance with Qatari laws and regulations. PDPD VIETNAM Vietnam’s Decree No. 13/2023/ND on the Protection of Personal Data or Personal Data Protection Decree (“PDPD”) came into full effect on July 1, 2023 and is the first comprehensive law governing data privacy in Vietnam. The PDPD applies to:
POPI SOUTH AFRICA South Africa’s Protection of Personal Information Act (POPI), establishes requirements for how both public and private organizations process personal information. Organizations who are subject to POPI and who engage in the collection, storage, or processing of personal information, must comply with this law. Google provides product capabilities and contractual commitments to facilitate our customers’ compliance with South Africa's POPI Act. Customers subject to POPI can review the Cloud Data Processing Addendum to see Google Cloud’s security and privacy commitments to customers clearly articulated. DSA BANGLADESH The Digital Security Act, 2018 (DSA) was enacted with the goal of enhancing data security and safety online for the citizens of Bangladesh. It governs a variety of data processing activities including the use, retention, and transmission of data, including data outside the scope of traditional personal data, which under the DSA is known as “identity information”. The DSA empowers the National Digital Security Council (NDSC) to formulate and issue data protection guidance as required. Google is committed to helping our customers meet their obligations under the DSA by offering convenient tools and building strong privacy and security protections into our services and contracts. We have published a whitepaper describing how Google Cloud implements data privacy and security capabilities to help customers comply with the DSA. PDP Law Indonesia The Indonesia Personal Data Protection Law (“PDP Law”), enacted on October 17, 2022, regulates the collection, use, disclosure, and other processing of personal data by international organizations and governmental and private entities. We have created a whitepaper to help our customers understand the PDP Law and how Google Cloud implements data privacy and security capabilities to store, process, maintain, and secure customer data in a way that aids customers in meeting their PDP Law obligations. PDPA Philippines The Philippines Data Privacy Act of 2012 (PDPA) (also known as Republic Act No. 10173) took effect on 8 September 2012 and along with the final implementing rules and regulations (IRR), is the comprehensive law governing data privacy in the Philippines. It sets forth obligations for both data controllers and data processors and extends certain rights to data subjects. The law also endowed a National Privacy Commission (NPC), responsible for enforcing and overseeing the law, with rulemaking power. Google Cloud is committed to helping our customers meet their obligations under the PDPA by offering convenient tools and building strong privacy and security protections into our services and contracts. We have published a whitepaper describing how Google Cloud implements data privacy and security capabilities to help our customers comply with the PDPA. K-ISMS Korea The Korea Information Security Management System (“K-ISMS”) is an information security management standard operated by Korea Internet & Security Agency (“KISA”). K-ISMS was prepared to evaluate whether enterprises and organizations operate and manage their information security management system (ISMS) consistently and securely such that they protect key information assets from various threats. The legal background for K-ISMS is provided in Article 47 of the Act on Promotion of Information and Communication Network Utilization and Information Protection (Certification of ISMS). Google Cloud has successfully achieved the K-ISMS certification, covering our data center located in Seoul, South Korea. The thorough certification audit was performed by KISA, a governmental institution affiliated with the Korean Ministry of Science and ICT (MSIT). Our customers can rely on our certification by more easily proving compliance with your Korean requirements to protect key digital information assets and meet KISA compliance standards. |
And many more coming soon!
Application Service Status
Click on any region below to check the live Status:
North American Region
European Region
Middle Eastern Region
Asian Region
Click on any region below to check the live Status:
North American Region
European Region
Middle Eastern Region
Asian Region
*All trademarks are the property of their respective owners
This page contains information about Google's certifications and compliance standards it satisfies as well as general information about certain region or sector-specific regulations.
This page contains information about Google's certifications and compliance standards it satisfies as well as general information about certain region or sector-specific regulations.